The Windows Incident Response Blog is dedicated to the myriad information surrounding and inherent to the topics of IR and digital analysis of Windows systems. This blog provides information in support of my books; "Windows Forensic Analysis" (1st thru 4th editions), "Windows Registry Forensics",
as well as the book I co-authored with Cory Altheide, "Digital Forensics with Open Source Tools".

Tuesday, August 05, 2008

MRT

The SANS Internet Storm Center had an interesting post the other day about the MS Malicious Software Removal Tool (aka, MRT). What I took away from the post is that KB 891716 says that whenever MRT is run, the "Version" value is updated with a new GUID. This information can be compared to the list of GUIDs from that same KB article, and correlated against the MRT.log file itself. KB 890830 contains a list of malicious software that MRT is intended to protect against.

From a forensic analysis perspective, this provides some good information with respect to malware that may or may not be on the system.

I put together a quick RegRipper plugin to address this key, and when run via rip.exe, the output looks as follows:

Analysis Tip: Go to http://support.microsoft.com/kb/891716/ to see when MRT was last run. According to the KB article, each time MRT is run, a new GUID is written to the Version value.

If you check KB 891716 for the above listed GUID, you'll see that it corresponds to Jan 2008, which correlates to the LastWrite time for the key itself. By checking the chart in the KB, you can see the malware that the system is supposed to be protected against.

Notice I've added an "Analysis Tip" to this plugin. I've also included some additional information in the header to the plugin itself, which is simply a text-based file that can be opened in any editor...much like Nessus plugins.